Hello Melissa
- Create a Device Security Policy: - In the Microsoft 365 Security Center, go to "Devices" and then "Policies & Profiles." - Create a new policy with the following settings: - Platform: Windows - Enrollment Type: MDM enrolled - Configuration Profiles: Windows Defender Antivirus - Apply this policy to a security group that includes all your domain-joined computers.
- Enable Conditional Access based on the Device Security Policy: - In the Azure portal, go to "Azure Active Directory" and then "Security." - Set up a Conditional Access policy that requires devices to comply with the Device Security Policy. - This will ensure that only domain-joined computers with the Device Security policy applied will have access to MDE.
- Script to offboard personal computers: - Create a PowerShell script that runs on personal computers and removes them from MDE. - The script should use the MDE PowerShell module to connect and remove the device from MDE. - You can use the following command in your script:
Remove-MpPreference -RemoveAllSettings -Force
- Deploy the script to personal computers: - Use a software distribution tool like Intune or third-party solutions to deploy the script to personal computers. - Ensure that the deployment is targeted only to personal computers. - Once the script runs, it will remove the personal computers from MDE.